Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

What outgoing network connections should be allowed from a JIRA server?

François Mancho1
François Manchon September 18, 2011

Hi,

My customer's IT department has a rather strict network security policy. They won't let a JIRA app server connect to uncontrolled servers on the public Internet.

To download, install or upgrade JIRA plugins, I need the server to open connections to Atlassian servers using HTTP and / or HTTPS. Is there any other feature that needs this?

I guess the question is: where can I find a (hopefull exhaustive) list of outgoing connections (server names, IP addresses, port numbers) that should be allowed to go through the corporate firewall?

Thanks,

Answer
Watch
Like Be the first to like this
2629 views

1 answer

1 accepted

0 votes
Answer accepted
Radu Dumitriu
Radu Dumitriu
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 18, 2011

"They won't let a JIRA app server connect to uncontrolled servers on the public Internet.". Paranoia sometimes pays back ...

"To download, install or upgrade JIRA plugins, I need the server to open connections to Atlassian servers using HTTP and / or HTTPS. Is there any other feature that needs this?"

No, you do not need it, you can do it manually each time.

AFAIK: outgoing connections are: HTTP / HTTPS to all domain atlassian.com. Depending on the plugins, you may need connections to the plugins sites as well.

View More Comments
François Mancho1
François Manchon September 19, 2011

Radu, thanks for your answer.

"HTTP / HTTPS to all domain atlassian.com."

Yes, that would be my first guess as weel. However, a network capture tells me that JIRA is contacting "63-246-22-216.contegix.com". I understand that Contegix is Atlassian's hosting partner (http://confluence.atlassian.com/display/EHOSTING/Contegix+Hosting), so I guess I need to add that as well.

Anything else?

Like
Radu Dumitriu
Radu Dumitriu
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 20, 2011

I never caught it going to contengix.com (but, of course, I believe you). But my advice would be that if you want to secure it as much as possible, cut all and install manually the needed plugins.

Like
JamieA
JamieA
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 20, 2011

Prevent the UPM from even attempting it with -Dupm.pac.disable=true.

Like
François Mancho1
François Manchon September 20, 2011

Thanks again. Here is the summary I will submit to my IT dept:

Protocols/ports:

  • User interface: HTTPS/8443
  • JIRA e-mail notification: outgoing SMTP/25.
  • Allow for incoming SMTP, so that users can reply to notification e-mail (rather than using the Web user interface)
  • Database server: MySQL/3306. Currently running on the JIRA server itself.
  • JIRA management: HTTPS/8443
  • JIRA management also needs outgoing access to the Internet: HTTP/80 and HTTPS/443. Known servers are *.atlassian.com and *contegix.com. Other servers may be needed in the future.
  • Linux management, including JIRA maintenance: SSH/22
  • System e-mail: SMTP/25.
  • File upload/download: SFTP/22, also occasionally using Windows File Sharing (Samba) on our lab server


I am not mentioning other protocols such as DNS or NTP which I assume are part of the corporate network infrastructure.

Did I miss anything?

Like
JamieA
JamieA
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 20, 2011

Your question was about access through the firewall to the public internet. Nearly none of those ports should be through the firewall, eg your SMTP server, database etc will all be inside the firewall.

Like
Radu Dumitriu
Radu Dumitriu
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 20, 2011

Completing Jamie's answer: if you plan to use Jira ONLY from your corporate network, you should not allow even incoming http and https from Internet. Otherwise, completely agree with his comment above.

Like
JamieA
JamieA
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 20, 2011

Yes, your systems admin guys will be fired if they agreed to what you are suggesting anyway;-) Particularly ssh - if that was allowed we wouldn't have the fun of doing reverse tunnelling through socks proxies.

Like
François Mancho1
François Manchon September 21, 2011

Yes, almost all of the network connections I listed are bound to remain within the corporate network. The only one that might be allowed (depending on the paranoid IT guys ;-) is this one:

  • JIRA management also needs outgoing access to the Internet: HTTP/80 and HTTPS/443. Known servers are *.atlassian.com and *contegix.com. Other servers may be needed in the future.

Thanks again for your comments. I consider the question answered.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events